Kaspersky Warns of RenEngine Malware Spread via Pirated Software

KHADAMATY–NEW

Kaspersky has identified RenEngine, a malware loader distributed through pirated games and cracked software, expanding the threat surface beyond the gaming community

Although RenEngine samples were first detected in March 2025, recent investigations show attackers created dozens of websites offering infected installers, including pirated productivity tools such as CorelDRAW

The malware campaign has affected users in multiple countries, including Russia, Brazil, Turkey, Spain, and Germany, indicating opportunistic rather than targeted attacks

Initially used to deliver Lumma Stealer, current variants deploy ACR Stealer, with Vidar Stealer also observed. The infection chain leverages modified games built on the Ren’Py engine. When launched, fake loading screens mask malicious background activity, which then deploys HijackLoader to execute multi-stage payloads

Kaspersky detects RenEngine as Trojan.Python.Agent variants, while HijackLoader is identified as Trojan.Win32.Penguish and Trojan.Win32.DllHijacker

The company advises users to download software only from official sources, keep systems updated, and use advanced security solutions such as Kaspersky Premium to mitigate evolving cyber threats